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The  Folklore  la  replete  with  stories  of  "se- 
cure" protection  systems  being  compromised  in  a 
patter  of  hours.  This  is  quite  astounding  since  one  is 
not  likely  to  claim  that  a system  is  secure  without 
some  sort  of  proof  to  support  the  claim.  In  practice, 
proof  la  not  provided  and  one  reason  for  this  is  clear: 
although  the  protection  primitives  are  apparently 
quite  simple,  they  may  potentially  interact  in  ex- 
tremely complex  ways.  Vague  and  informal  arguments, 
therefore,  often  overlook  subtleties  that  an  adversary 
can  exploit.  Precision  is  not  merely  desirable  for 
protection  systems,  it  Is  mandatory. 

Accordingly,  this  paper  is  devoted  to  the 
analysis  of  a specific  protection  system  of  both  theo- 
retical Interest  and  practical  interest.  Theoretical- 
ly, these  problems  are  graph  theoretic  in  flavor  and 
they  can  be  reasonably  be  viewed  as  generalizations  of 
"transitive  closure”.  Roughly  these  protection  ques- 
tions can  be  modeled  as: 

Given:  A directed  labeled  graph  G and  a set  of 

rewriting  rules  R. 

Determine : Whether  or  not  there  Is  a sequence 

of  graphs  C^,  C^,  ....  G such  that  C - G^,  has 
property  X,  and  G^+j  follows  from  G^  by  some  rule  in  R. 

Here  the  G represent  the  protection  state  and  property 
X encodes  uiat  there  is  a protection  violation  in  G . 
Our  goal  then  is  to  show  that  it  is  impossible  to 
reach  such  a G , l.e.  that  a protection  violation  is 
impossible.  n 

Property  X Is  frequently  stated  as 

X:  there  Is  an  edge  from  vertex  p to  q with 
label  a. 

For  these  properties  our  protection  questions  do  indeed 
look  very  much  like  transitive  closure  questions.  In- 
deed if  the  rules  R only  allowed  the  addition  of  edges, 
then  these  problems  would  be  easily  solved  by  known 
methods.  They  are  not  so  simple.  The  rules  of  inter- 
est to  those  in  protection,  and  the  particular  rules 
we  will  study,  allow  new  vertices  to  be  added.  This 
simple  change  of  allowing  graphs  to  "grow  new  vertices" 
make  these  problems  challenging.  Indeed  the  particular 
one  we  will  study  is  no  longer  even  obviously 
decidable. 

Let  us  now  make  the  above  concrete  by  intro- 
ducing the  particular  protection  system  we  will  study. 
We  consider  directed  graphs  whose  arcs  are  labeled  with 
an  r or  a w or  a c.  While  we  will  manipulate  these 


graphs  as  formal  objects  it  is  helpful  to  keep  In  mind 
the  following  informal  semantics:  A vertex  corres- 

ponds to  a "user",  r - "read",  w • "write”,  c ■ "call". 
If  there  Is  a directed  arc  from  x to  y with  label  r 
(respectively  w,c),  then  x can  read  y (respectively 
write,  call).  We  interpret  this  to  mean  that  not  only 
can  x read  the  program  and  data  of  y but  also 
chat  x can  read  the  security  lntormation  of  y.  (See 
a discussion  of  these  Issues  in  Section  III.)  For 
example,  in  the  graph 


X w y 


a 


x can  write  y,  x can  read  z,  but  y cannot  write  z 
since  this  edge  is  missing.  More  formally,  a protec- 
tion graph  is  a finite,  directed  graph  with  each  arc 
labeled  by  a nonempty  subset  of  (r,w,c).  We  interpret 
the  case  where  an  arc  is  labeled  with  other  than  a 
single  element  to  mean  that  multiple  "rights"  are 
allowed . 

This  protection  model,  called  the  take  and 
grant  system,  is  now  completed  by  presenting  five 
rewriting  rules. 

1.  Take : Let  x,  y,  and  z be  three  distinct 

vertices  in  a protection  graph  and  let  there  be  an  arc 
from  x to  y with  label  y such  that  r e y and  an  arc 
from  y to  z with  some  label  o £ (r,w,c).  Then  the 
take  rule  allows  one  to  add  the  arc  from  x to  z with 
label  a yielding  a new  graph  G'.  Intuitively  x takes 
the  ability  to  do  a to  z from  y.  We  will  represent* 
this  rule  by 


a 


x y z x y z 


2.  Grant:  I.et  x,  y and  z be  distinct  vertices 
in  a protection  graph  G and  let  there  be  an  arc  from  x 
to  y with  label  y such  that  w c y and  an  arc  from  x to 
z with  label  a £ {r,w,c}.  Then  the  grant  rule  allows 
one  to  add  an  arc  from  y to  z with  label  a yielding 
a new  graph  G'.  Intuitively  x grants  y the  ability  to 
do  a to  z.  In  our  representation  grant  Is  given  by: 


1 This  work  was  supported  in  part  by  NSF  under 
DCR-75-07251. 

ft  This  work  was  supported  in  part  by  Che  Office  of 
Naval  Research  grant  N00014-75-C-0752  aid  in  part  by 
NSF  grant  DCR74-24193. 


* Here  and  in  later  diagrams  we  abuse  notation  by 
writing  an  explicit  right  as  arc  label  (x  m-^o  y)  to 
mean  the  arc  label  contains  that  right  (i.e., 
x e-k — ••  such  that  r « y) . We  also  omit  the  braces 
around  sets. 
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question:  in  the  graph 


3.  Create:  Let  x be  any  vertex  in  a protection 

graph,  then  create  allows  one  to  add  a new  vertex  N 
and  an  arc  from  x to  N with  label  {r,w,c}  yielding  a 
new  graph  C'.  Intuitively  x creates  a new  user  that 
it  can  read,  write  and  call.  In  our  representation 


<t.  Call:  Let  x,  y and  z be  distinct  vertices 
in  a protection  graph  G and  let  a £ {r,w,c}  be  an  arc 
from  z to  y and  y an  arc  from  x to  z such  that  c e y. 
Then  the  call  rule  allows  one  to  add  a new  vertex  N, 

an  arc  from  N to  y with  label  a,  and  an  arc  from  N to 

z with  label  r yielding  a new  graph  G'.  Intuitively 
x is  callint : a program  z and  passing  parameters  y- 
The  N "process"  is  created  to  effect  the  call:  N can 

read  the  program  z and  can  a the  parameters.  In  our 

representat ion 


is  it  possible  for  y to  r z?  The  answer  is  obviously 
no  since  there  is  no  r arc  from  y to  z.  But  we  are 
really  asking:  is  there  a sequence  of  rule  applica- 
tions that  leads  to  a graph  with  an  r arc  from  y t os? 
More  generally,  say  p can  a q if  there  is  a series  of 
rules  that  leads  to  a graph  with  an  arc  a from  p to  q. 
Then  to  state  our  question  more  precisely,  we  ask:  Is 

it  true  that  y can  r z?  Clearly,  without  create,  the 
answer  is  no  since  none  of  the  operations  take,  grant 
or  call  can  apply.  The  following  sequence  of  applica- 
tions of  the  rules*  shows  that  by  using  create  the 
answer  is  yes: 


y creates 


5.  Remove:  Let  x and  y be  distinct  vertices  in 

a protection  graph  G with  an  arc  from  x to  y with 
label  u.  Then  the  remove  rule  allows  one  to  remove 
the  arc  from  x to  y yielding  a new  graph  G'.  Intu- 
itively x removee  its  rights  to  y.  In  our  represen- 
tation. 


y 

* 


The  remove  rule  is  defined  mainly  for  complete- 
ness, since  protection  systems  tend  to  have  such  a 
rule.  Moreover,  we  expect  to  study  properties  of 
protection  systems  other  than  protection  violations 
which  will  use  remove  in  a crucial  way.  But,  for  the 
present  remove  may  be  Ignored. 

The  operation  of  applying  one  of  the  rules  to 
a protection  graph  G yielding  a new  protection  graph 
G'  is  written  G |—  C ' . As  usual  G |—  G'  denotes  the 
reflexive,  transitive  closure. 

An  Important  technical  point  in  this  system  is 
monotone  in  the  sense  that  if  a rule  can  be  applied, 
then  adding  arcs  cannot  change  this.  This  property 
la  crucial  later.  (See  also  (1|.) 

Now  that  we  have  seen  the  rules,  let  us  look 
at  their  behavior.  We  will  start  with  a simple 


* In  the  diagrams,  dashed  lines  are  used  only  aa  a 
visual  aid  to  set  off  the  added  arcs  of  the  current 
operation. 
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a • r implies  (r,c)  n B * 0,  or 
a • w Implies  w t B,  or 
a - c Implies  c t 6. 
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Our  main  theorem  Is  stated  In  the  next  section.  This 
theorem  presents  a complete  answer  to  the  question:  Is 
It  true  that  p can  a g?  Indeed  this  theorem  leads 
easily  to  a linear  time  algorithm  for  answering  the 
quesdon. 

A final  word  about  how  this  theorem  contributes 
to  our  understanding  of  protection.  Each  user  of  a 
protection  system  needs  to  know: 

vhat  Information  of  mine  can  be  accessed  by  others; 

what  Information  of  others  can  be  accessed  by  me? 

The  question  is  vague  In  general,  but  here  it  Is  ren- 
dered In  the  simple  question:  is  it  true  that  p can 
a q? 

The  types  of  protection  models  studied  here 
have  received  considerable  attention  recently.  Our 
approach  Is  relaced  closely  to  Che  interesting  work 
of  Harrison,  Ruzzo,  and  Ullman  [3].  They  show  that 
what  can  be  called  the  "uniform  safety  problem"  Is 
undecldable.  Interpreted  as  a graph  model,  their 
result  says  that  given  an  arbitrary  set  of  rules 
(similar  in  spirit  to  take,  grant,  etc.)  and  an  Initial 
graph,  it  Is  undecldable  whether  or  not  there  will  ever 
be  an  arc  from  p to  q with  label  a.  This  Is  a uniform 
problem  In  the  sense  that  the  rules  are  arbitrary. 

Even  when  the  rules  have  to  satisfy  certain  additional 
constraints  the  results  of  [3]  and  the  results  of 
Llpton  and  Snyder  [ 5 ] show  tnat  protection  Is  im- 
practlcally  complex. 

Our  view  here  Is  that  since  the  uniform  protec- 
tion problem  is  so  difficult  and  since  operating 
systems  usually  require  only  one  fixed  set  of  protec- 
tion rules,  then  the  nonuniform  problem  should  be 
studied.  Aa  stated  before  we  choose  the  take  and  grant 
system  by  studying  the  protection  literature.  Note 
that  some  other  nonuniform  systems  are  trivially 
decidable.  For  example,  consider  a very  simple  sys- 
tem which  has  as  Its  only  rule,  transfer,  which  is 
represented  In  our  graph  model  as: 


Informally,  these  conditions  will  state  that  p can  a 
q If  and  only  If  there  la  an  undirected  path  between 
p and  q (condition  1)  and  some  vertex  x o's  q (con- 
dition 2). 

The  first  step  Is  to  demonstrate  the  necessity 
of  conditions  (1)  and  (2). 

Lerna  J:  Let  C be  a protection  graph  with  vertices  p 
and  q and  let  a be  a label.  Then  p can  a q la  true 
Implies  conditions  (1)  and  (2)  hold. 

Proof:  If  there  Is  an  arc  with  label  a from  p to  q In 

G then  (1)  and  (2)  are  satisfied,  so  suppose  there  la 
no  a arc  from  p to  q in  G and  Gj,...,Cn  is  a sequence 
such  that  p can  a q.  If  (1)  is  not  satisfied  In  G^ 
then  It  is  not  satisfied  in  since  no  rule 

application  connects  vertices  not  already  connected. 

If  (2)  la  not  satisfied  in  G,  let  C be  the  first 
graph  satisfying  (2)  and  GJ_1  |—  C^.  If  p Is  taken  or 

granted,  the  choice  of  Gt  Is  violated.  Create  cannot 
place  an  Incoming  arc  to  q,  so  p must  be  call.  But 
regardless  of  what  a is,  p - call  violates  our  choice 
of  Gi.  □ 

To  simplify  matters  later  and  to  clear  up  an 
apparent  anomaly  in  condition  (2),  we  next  show  that 
If  a user  Is  allowed  to  call  another  user  then  he 
la  allowed  to  read  him  as  well.  It  is  this  fact  that 
allows  us  to  write  (r,c)  n 8 * 0 in  condition  (2) 
rather  than  just  r t 8. 

Lerrma  2:  In  a protection  graph  C,  x m — — y Implies 


Proof:  Apply  the  following  rules: 


x 


The  transfer  rule  was  abstracted  from  a survey  article 
on  security  enforcement  (2).  The  rule  says  that  x 
can  give  away  any  right  It  currently  has.  Clearly  In 
this  system  p can  a q if  and  only  If  there  exists  Ini- 
tially an  x such  that  there  Is  an  edge  from  x to  q 
with  label  a. 


II.  Basic  Results 


A.  Subject  case 

Our  objective  Is  to  show  that  there  are  two 
simple  conditions  that  are  necessary  and  sufficient  to 
flctermlnc  If  vertex  p can  a vertex  q.  Let  G be  a pro- 
tection graph  and  a < (r,w,c).  Call  p and  q connected 
If  there  exists  a path  between  p and  q Independent  of 
the  directionality  or  labels  of  the  arcs.  Define  the 
predicates: 

Condition  1:  p and  q are  connected  in  C. 

Coiuiition  2:  there  exists  a vertex  x In  C and  an  arc 

fr<»  x to  q with  label  8 such  that 


lx  call 


xg  c ty 


r,w,c 


N 


i 


r,v,c 


! 


□ 


We  next  prove  a key  lemma  that  shows  that  the 
directionality  and  labels  along  a connected  path  are 
unimportant.  Call  vertices  p and  q of  a protection 
graph  directly  connected  if  there  is  an  arc  between 
them  independent  of  the  directionality. 

LeWr*!  3:  Let  p,  q and  x be  distinct  vertices  in  a pro- 

tection graph,  let  there  be  an  arc  from  x to  q with 
label  a and  let  p and  x be  directly  connected.  Then 
p can  a q. 

Proof:  By  monotonicity,  there  are  only  six  distinct 

cases. 

Case  1: 


IP  take 


r,w,c 


Case  3:  p • — - *#q 


By  lemma  2 this  can  be  written  as 
c,r  a 


P 


and  we  can  appeal  to  case  1. 
x 


Case  4:  /*  •«- — — 


p create 

r#w,c 


V- * 


N 


x take 


r,w,c 


Mr' 


a 


IfTTake  » °>» 


Case  2: 
P > w 


|p  create 


p r w ••  a ■>  q 


,r»w.c 


p grant 


r.w.c 

i 

H 


/r.y.c 


Case  5 i 


P —■ 


x 

-♦ 


p . 

x grant  y ” 

«% 
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I 


and  ve  can  apply  <=»**  4-  0 


He  Dow  use  lemma  3 to  prove  three  additional 
lemmas  to  be  used  In  the  basis  of  our  later  Induction. 

Lerrra  4:  Let  p,  q and  x be  distinct  vertices  In  a 

protection  graph  such  that  p Is  directly  connected  to 
q end  there  Is  an  arc  from  z to  q with  lsbel  y such 
that  (r,c)  n y M.  Then  p can  r q. 

Proof:  By  lemma  2 we  can  assume  that  y - r.  Then  ve 

apply  the  following  rules'*": 


Lerma  5:  Let  p,  q and  x be  distinct  vertices  In  a 

protection  graph  such  that  p Is  directly  connected  to 
q and  there  Is  an  arc  from  x to  q with  label  y Such 
that  w c y.  Then  p can  w q. 


,r,w,c 

i 

i 

H 


1 


6:  Let  p,  q and  X be  distinct  vertices  In  a 

protection  graph  such  that  p la  directly  connected  to 
q and  there  is  an  arc  from  x to  q with  label  y such 
that  cry.  Then  p can  c q. 

Proof:  Apply  the  following  rules: 


* 


x create 


tx 


N1 


x call 


4-5£-f9,4 


r,v,c 

N, 


x grant 


q 

-tr 


l-y:  c.>4 


r,w,c 


By  an  application  of  lemaa  3 (on  q,  x,  N ) we 
realize  1 


e 


N 


By  a second  application  of  lemma  3 (on  p,  q, 
x,  H^)  we  get 


then 


p takes 


c 


□ 

Theorem  l : Let  p and  q be  distinct  vertices  in  s 

protection  graph  and  a a label.  Conditions  (1)  and 
(2)  are  necessary  and  sufficient  to  imply  p can  a q. 

Proof:  Lemma  1 demonstrates  necessity  so  ve  proceed 

by  induction  to  show  sufficiency.  Let 

P • x , x ,*•••»  x , x - q be  the  vertices  on  s 
n n-x  x u 

connected  path. 

(Basis)  For  n • 1,  there  are  two  possibilities.  The 
x guaranteed  by  condition  (2)  either  colncldea  with 
ij  ■ p In  which  case  the  sufficiency  la  lmediately 
true  or  else  x and  x^  are  distinct.  By  lemaa  A,  3 
and  6,  p can  a q. 

(Induction)  Suppose  the  theorem  Is  true  for  n Z 1 
and  p * xn+i  ai>d  *n+i  la  directly  connected  to  xn-  By 

hypothesis  x can  a a,  and  by  lemma  3 this  Implies 
xn+l  can  a q?  0 

Corollary  1:  There  Is  an  algorithm  for  deciding  If 

p can  a q that  operates  In  linear  time  In  the  size 
of  the  protection  graph. 

Proof:  To  verity  condition  (1)  apply  Tarjan  (61. 

Verifying  condition  (2)  requires  no  more  time  than 
scanning  the  in  arcs  to  vertex  q.  D 

An  obvious  consequence  of  the  constructions  of  this 
section  la  that  It  la  simple  to  acquire  the  right  to 
e given  object  If  It  can  be  acquired. 

Corollary  2:  If  p can  a q then  there  la  an  algorithm 

to  add  an  arc  from  p to  q with  label  a that  le  linear 
In  the  length  of  the  path  between  p and  q. 

The  consequence  of  theorem  1 la  that  we  can 
precisely  state  the  protection  "policy"  for  our  take 
grant  system: 

Policy:  If  p can  initially  read  (vrite)  (call)  q then 

any  uaer  In  the  connected  component  containing  p and  q 
can  also  obtain  the  right  to  read  (write)  (read  and 
cell)  q. 

The  policy  Is  probably  leaa  discriminating 
than  the  reader  might  have  expected.  This  Is  especial- 
ly true  considering  that  people  usually  "believe" 
these  systems  to  be  more  discriminating.  The  diffi- 
culty Is  that  up  to  now  we  have,  for  technical  reasons, 
abstracted  away  an  important  distinction  that  Is 
usually  made  for  capability  baaed  security  systems: 
the  aubject-object  distinction. 
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B.  Subjcct/Object  Security 

The  vertices  of  our  graphs  have  been  thought 
of  as  "users,"  l.e.  active  agents  capable  of  taking 
and  granting.  But  these  properties  are  not  usually 
ascribed  to  files.  Hence,  It  Is  customary  to  rec- 
ognise two  kinds  of  system  components:  subjects  and 

objects.  (3]  In  our  graph  model  we  can  think  of 
the  vertices  as  being  two  colored. 

To  extend  our  present  model  to  Incorporate 
objects,  we  define  a subject-object  protection  graph 
as  a finite,  directed  graph  whose  vertices  are  par- 
titioned Into  two  secs,  subjects  and  objects,  and 
whose  arcs  are  labeled  with  (r>,  (w)  or  (r.w).  An 
S-0  take  grant  system  has  the  following  rewriting 
rules,  where  solid  vertices  represent  subjects,  open 
vertices  represent  objects  and  crossed  vertices 
represent  either  subjects  or  objects. 


But,  if  we  add  an  "agent"  vertex,  t,  to  the 
previous  diagram. 


p can  r q,  as  the  following  sequence  establishes: 


|t  take 
t grant 


te  usual,  z,  y And  z must  be  distinct. 

The  subject-object  protection  graphs  do  not  use 
c"»  nor  is  the  call  operation  defined  for  the  S-0 
grant  system.  We  conjecture  that  this  can  be 
•*nt  with  little  difficulty,  but  it  contributes  little 
lo  the  subsequent  (already  too  complex)  development. 

In  order  to  see  that  the  above  rules  do  in  fact 
Introduce  a new  set  of  problems,  consider  the  following 
• ^Jtct-object  protection  graph: 


q take 
q grant 


s create 
3 grant 


» #*• 

m / not  if  all  vertices  were  subjects,  then  by 

**  * • P can  r q.  As  it  is,  p cannot  r q (see 
’***  * b«low)  even  though  the  w*s  on  the  diamond 
"information"  (but  not  "security 
'•«  ) could  move  from  p to  q.  The  reason 

*[v  Information"  cannot  be  moved  around  is  that 
» *f*f  talclng  and  granting  to  accomplish  its 
i»,  ^ ejects  are  prevented  by  the  rules  from 

,,--***  Acc°rdingly,  objects  may  be  thought  of  as 
Programs  as  well  a9  files. 


N take 
N grant 


N 


39 


4 


a* 


. v — j i ^ *•  r>  \ **  - • 


•"fir 


I 


i 

i 


i 

» 

i 

f 

\ 


i 

i 

•* 

•T 

* 

« 


And  now,  by  a sequence  of  3 takes,  p can  r q. 

The  effect  of  the  preceding  discussion  Is  that 
objects  c.iu  torm  "barriers"  for  security  Information 
(e.g.,  in  diagram  *)  but  that  in  closely  related  cases 
(e  g. , diagram  **)  the  barrier  is  ineffective.  Thus, 
the  addition  of  objects  has  increased  the  complexity 
of  these  systems.  We  dedicate  the  remainder  of  this 
section  to  establishing  conditions  under  which  p can 
a q for  S-0  take-grant  systems.  We  only  treat  the 
"subject-subject  case",  i.e.,  when  p and  q are  both 
subjects. 

We  will  now  proceed  with  the  analysis  of  the 
SO  take  grant  system. 

Let  p and  q be  subjects  and  let  x^,...,  x. 

(k  £ 1)  be  objects  such  that  p directly  connected 
to  Xj,  directly  connected  to  an(*  directly 

connected  to  q.  Then  we  will  say  that  p,  x^» 

q is  a path  from  p to  q.  With  each  such  path  we 
associate  a word  over  the  alphabet. 


is  a path  p,  x^,  q with  p in  one  block  and  . 

in  the  other  such  that  the  word  of  the  path  la  in  t 
In  diagram  **,  there  Is  a bridge  from  p's  block  to 
t's  block  and  a brdige  from  t's  block  to  the  q-a 
block. 

We  are  now  ready  to  state  our  theorem: 

Theorem  2:  Let  C be  a subject/object  protection 

graph.  Also  let  p^,  be  subjects  with  some  edge 
from  some  subject  to  q^  with  label  a £ {r,v}.  Then 
Pq  can  a if  and  only  if 

Condition  3:  there  exists  a sequence  of  blocks 

B,,...,  B with  pn  in  B, , qn  in  B and  for  each 
1 m U 1 U m 

i-1,...,  m-1  there  is  a bridge  from  to 

Proof:  First  suppose  that  Condition  3 is  true.  Then 
by  lemma  7 there  is  a sequence  of  take  and  grants  and 
creates  that  get  Pq  and  q^  in  the  same  block.  Now  by 

theorem  1,  can  a q^.  We  must  show  that  condition 
3 is  true.  Assume  that  it  is  not. 


(r,.  r,  w,  w) 

formed  by  concatenating  the  edge  labels  in  the  order 
from  p to  q (with  the  obvious  interpretation: 

o - »o  corresponds  to  r and  so  on.)  For  example, 
the  path 


4 r 
P • 


-o- 

*3 


r 


♦ q 


For  each  path  p,  x^,...,  x^,  q that  Joina  two 
blocks  use  lemma  7 to  get  p,  q directly  connected. 
Let  11  be  the  resulting  graph.  Then  in  H,  p can  a q 
and  there  are  no  bridges.  Moreover,  since  condition 
3 is  false,  p^  and  lie  in  different  blocks.  Now 


since  pQ  can  a this  is  a sequence  of  operations 
that  will  cause  p^  and  q^  to  be  directly  connected; 
thus  there  must  be  a place  where  two  vertices  of 
different  blocks  are  made  to  be  directly  connected. 
We  plan  to  show  that  this  is  impossible. 


has  the  word  r v w r associated  with  it. 

Let  E be  the  union  of  the  following  regular 

events : 

(1)  r(t)+ 

(2)  ?(?)+ 

(3)  (?)*S(?)+ 

(4)  (?)*£( r)+ 

(5)  (r)+  w(r)* 

(6)  (r)+  w(r)» 

where  A+  - AA*.  The  key  idea  behind  this  definition 
is  that  paths  with  words  that  lie  in  E allow  their 
subjects  (i.e.,  end  points)  to  "communicate".  More 
precisely. 


We  first  observe  that  if  two  vertices  of 
different  blocks  are  made  directly  connected  at  some 
point,  then  there  must  already  exist  a bridge  between 
these  blocks.  (But  not  necessarily  a bridge  in  H.) 

In  detail  let  p,  q reside  In  distinct  blocks  in  H' 

(U  |—  H')  and  some  operation  add  an  edge  from  p to  q 
with  label  B.  Then  if  this  operation  Is  a take 


6 


it  follows  that  p,  x,  q is  a bridge  between  the  blocks. 
On  the  other  hand,  if  this  operation  is  a grant 


0 


Cenra  7:  If  p,  x, , q it  a path  with  a word  in 

E,  then  there  is  I sequence  of  take,  grants,  and 
creates  such  that  p and  q are  directly  connected. 

The  key  to  showing  the  decidability  of  the  SO 
take  and  grant  system  la  to,  in  a sense,  obtain  a 
converse  to  this  lemma.  In  order  to  state  this  result 
we  need  several  further  concepts. 

Let  C be  a subject  object  protection  graph. 

Then  8 is  a block  of  C provided  B is  a maximal  set  of 
subjects  such  that  B is  connected  with  respect  to  the 
relation:  directly  connected.  Notice  that  In  diagram 
* p and  q are  in  different  blocks  while  q aud  s are  in 
the  same  block.  A bridge  between  two  distinct  blocks 


Then  p,  q are  already  in  the  acme  block  which  is 
Impossible  Thus  we  know  that  there  is  a sequence  of 
operations  on  H that  creates  a bridge  between  two 
distinct  blocks.  Let  H'  be  such  that  there  is  no 
such  bridge  in  H'  and  H"  has  one  where 
H |T  H'  |-  H”. 

Nov  ve  need  only  argue  that  H'  must  already 
have  a brdige  to  complete  the  proof.  Let 
p,  x^,...,  Xyt  q be  the  bridge  in  H".  Clearly  one  of 
i 1 8 edges  was  added  by  either  a take  or  grant  from  H'. 
First  assume  that  it  was  a take.  Then  (convention: 

p ■ V * ■ Vi> 
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for  tome  vertex  y and  some  label  B.  (We  have  assumed 
the  edge  goes  from  x^  to  x^+^;  the  dual  case  Is 

similar.)  By  the  definition  of  path,  x^  must  equal 

p,  i.e.,  1-0.  If  y la  a aubject  then  y,  x^ 

x^,  q la  already  a bridge;  If  y Is  an  object  then 
p,  7.  x^,  q la  already  a bridge  since  If 

la  In  E then  ao  la  rid.  Thus  the  operation  was  not 
a taka.  It  can  then  only  be  a grant.  Thus, 


a 


for  aome  vertex  a and  label  B.  (We  have  again 
assumed  a direction  without  loss  of  generality.)  Now 
a la  In  the  same  block  as  q.  For  either  x^+^  - q or 

s,  lj+j,...,  x^,  q la  a bridge:  the  latter  uses  the 

fact  that  E la  closed  under  suffix.  Thus  x^  4 p.  Now 
we  claim  that  p,  x^,...,  x^,  s Is  a bridge  which  Is 
Impossible:  If  6 • r,  then  we  are  using  the  fact  that 


graph  with  an  edge  from  p to  q with  label  t . The  key 
to  this  problem  is  that  while  label  t can  be  taken  and 
granted  It  has  no  special  role(s)  as  r.w,  and  c do. 

The  label  l Is  simply  something  that  Is  passed  around, 
and  that  is  all.  A graph  such  as 


O — K> - *0 

P x q 


shows  that  our  theorem  1 is  no  longer  true. 

Another  way  to  modify  our  system  Is  to  control 
the  amount  of  cooperation  necessary  to  obtain  a par- 
ticular right.  With  each  rule  application  the  vertex 
that  Is  denoted  x In  our  definitions  will  be  called 
a conspirator.  Thus  in 


x r,w,e  N 


x Is  a conspirator.  Then  an  Interesting  question  Is 
can  p can  a q with  at  most  m conspirators. 

One  might  then  hope  to  attach  some  kinds  of 
likelihoods  In  a precise  way  to  whether  or  not  a 
system  Is  secure. 


drl  In  E Implies  dw  In  E. 

If  B - w,  then  we  are  using  the  fact  that 

dwX  In  E Implies  dw  in  E. 

Therefore  we  have  reached  a contradiction  and  the 
theorem  Is  proved. 


In  general  there  are  many  other  problems  to 
be  studied.  All  of  these  problems  are  In  a sense  gen- 
eralizations of  transitive  closure.  The  key  and  most 
important  aspect  of  this  generalization  Is  that  the 
most  Interesting  rules  allow  "growth",  l.e.  the 
addition  of  new  vertices.  It  appears  that  under- 
standing the  structure  of  such  problems  Is  Interesting 
beyond  its  application  to  the  study  of  protection 
models. 


Evidently,  the  S-0  take  and  grant  system  provides  for 
a mors  discriminating  policy  than  the  take  and  grant 
system. 

Corolloaru  3:  Tot  the  SO  take  and  grant  system  there 

la  an  algorithm  to  decide  if  p can  a q. 


III.  Discussions 

We  have  used  a "generalization"  of  transitive 
closure  In  order  to  abstract  the  behavior  of  two  kinds 
of  protections  systems:  those  with  just  subject  com- 

ponents and  those  with  subject-object  components.  Our 
choice  of  primitive  rules  has  been  strongly  motivated 
by  the  protection  literature.  But  we  do  not  believe 
we  have  defined  the  only  Interesting  set  of  protection 
rules.  There  are  probably  many  others  and  we  expect 
that  much  work  remains  In  identifying  sets  that  may  be 
efficiently  verified  as  well  as  having  highly  discri- 
minating policies. 

Another  direction  for  research  la  to  add  inert 
rights.  For  example  consider  a protection  graph  C 
where  there  is  an  edge  from  vertex  x to  vertex  q with 
label  l where  l la  a new  type  of  label.  We  then  wish 
to  know  If  p can  t q,  l.e.  If  there  la  a aeries  of 
takes,  grants,  creates,  and  calls  that  lead  to  a 
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